- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-14-2020 07:37 AM
I find any user with itil role is able to modify existing configuraiton items(CI). But I see itil role has nested role cmdb_read only not write. Not sure any other nested rule is giving update access. If I need to take away modifying CIs, what is the way? Appreciate it.
Solved! Go to Solution.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-14-2020 07:43 AM
Hi Giri,
Did you check for ACL of type write on CI (configuration item) table?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-14-2020 07:43 AM
Hi Giri,
Did you check for ACL of type write on CI (configuration item) table?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-14-2020 07:43 AM
itil role has access because they (techinician or the person who is working on incident) need to select appropriate CI incase user of the incident selects wrong CI while submitting the incident.
if you want to understand which all fields are editable by itil have a look at incident table ACL's with read and write

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-14-2020 07:48 AM
Hello Giri,
Check for existing WRITE ACL's and ensure the ITIL role is not in the list. Alternatively you can disable the existing one and create a new write ACL and grant the access to the required roles per your requirement.
- Pradeep Sharma
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-14-2020 08:36 AM
Thanks for the replies. It is fine to select CI by anyone. I am only talking about the ability to update/create anything in CMDB not to give to anybody with itil role.
I went to acl and searched for name cmdb_ci and operation write and found 3. I deactivated one that has itil role. Now I verified that one with ITIL role can't edit.
I am assuming cmdb_ci is base table and lot of others extend this. If I disable write on base, does it automatically disables for all child tables as well?
Thanks for all the help.